Bug#975616: buster-pu: package neomutt/neomutt_20180716+dfsg.1-1+deb10u2
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: j...@inutil.org, car...@debian.org (Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] Same as bugs.debian.org/975514, except that one is for mutt, this one for neomutt. The patch is the same and it addresses the same CVE (CVE-2020-28896). Security team is aware, they suggested to go through the route of buster-updates rather than DSA for this particular issue. debdiff is attached, I've also done an upload already. [ Impact ] Prevent login information to be sent over an encrypted connection when certain conditions happen. [ Tests ] (What automated or manual tests cover the affected code?) [ Risks ] (Discussion of the risks involved. E.g. code is trivial or complex, alternatives available.) [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] See the "Reason" section. [ Other info ] (Anything else the release team should know.) -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.8.0-3-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru neomutt-20180716+dfsg.1/debian/changelog neomutt-20180716+dfsg.1/debian/changelog --- neomutt-20180716+dfsg.1/debian/changelog2020-06-20 07:42:44.0 +0200 +++ neomutt-20180716+dfsg.1/debian/changelog2020-11-24 07:55:28.0 +0100 @@ -1,3 +1,11 @@ +neomutt (20180716+dfsg.1-1+deb10u2) buster; urgency=medium + + * debian/patches: ++ security/CVE-2020-28896.patch: handle the relevant CVE to stop sending + login information over an encrypted connections in certain conditions. + + -- Antonio Radici Tue, 24 Nov 2020 07:55:28 +0100 + neomutt (20180716+dfsg.1-1+deb10u1) buster-security; urgency=high * debian/patches: diff -Nru neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch --- neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch 1970-01-01 01:00:00.0 +0100 +++ neomutt-20180716+dfsg.1/debian/patches/security/CVE-2020-28896.patch 2020-11-24 07:55:28.0 +0100 @@ -0,0 +1,39 @@ +From 04b06aaa3e0cc0022b9b01dbca2863756ebbf59a Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy +Date: Mon, 16 Nov 2020 10:20:21 -0800 +Subject: [PATCH] Ensure IMAP connection is closed after a connection error. + +During connection, if the server provided an illegal initial response, +Mutt "bailed", but did not actually close the connection. The calling +code unfortunately relied on the connection status to decide to +continue with authentication, instead of checking the "bail" return +value. + +This could result in authentication credentials being sent over an +unencrypted connection, without $ssl_force_tls being consulted. + +Fix this by strictly closing the connection on any invalid response +during connection. The fix is intentionally small, to ease +backporting. A better fix would include removing the 'err_close_conn' +label, and perhaps adding return value checking in the caller (though +this change obviates the need for that). + +This addresses CVE-2020-28896. Thanks to Gabriel Salles-Loustau for +reporting the problem, and providing test cases to reproduce. +--- + imap/imap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/imap/imap.c b/imap/imap.c +@@ -1110,9 +1110,9 @@ + + #ifdef USE_SSL + err_close_conn: +- imap_close_connection(idata); + #endif + bail: ++ imap_close_connection(idata); + FREE(>capstr); + return -1; + } diff -Nru neomutt-20180716+dfsg.1/debian/patches/series neomutt-20180716+dfsg.1/debian/patches/series --- neomutt-20180716+dfsg.1/debian/patches/series 2020-06-20 07:42:44.0 +0200 +++ neomutt-20180716+dfsg.1/debian/patches/series 2020-11-24 07:55:28.0 +0100 @@ -4,3 +4,4 @@ misc/smime.rc.patch security/CVE-2020-14093.patch security/handle-starttls.patch +security/CVE-2020-28896.patch
Bug#975589: transition: gnat-10
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hello. The gcc-$V source package builds the Ada compiler (gnat-$V) and companion libraries (libgnat-$V and libgnat_util-$V). The default Ada compiler is selected by the gnat package. In unstable, gnat Depends: gnat-9. In experimental, gnat Depends: gnat-10. Ada libraries have specific requirements. * They must Build-Depend: gnat-$V (in addition to gnat). * Each -dev package name carries a version, similar to the shared object version for lib packages. Most changes in the source require a renaming of the -dev package, and a source upload of all reverse dependencies. In order to reduce the number of such transitions, many unrelated changes, like new upstream releases, are introduced with a libgnat transition and tested in experimental. Ben file: title = "gnat-10"; is_affected = .depends ~ "libgnat-8" | .depends ~ "libgnat-9" | .depends ~ "libgnat-10"; is_good = .depends ~ "libgnat-10"; is_bad = .depends ~ "libgnat-8" | .depends ~ "libgnat-9"; The affected source packages are: adabrowse adacgi adacontrol adasockets ahven anet asis dbusada dh-ada-library gprbuild libalog libaunit libaws libflorist libgmpada libgnatcoll libgnatcoll-bindings libgtkada liblog4ada libncursesada libtemplates-parser libtexttools libxmlada libxmlezout pcscada plplot libgnatcoll-db/21.0.0-3 fails to build on mipsel in experimental, and sometimes on mips64el (#971018, reported at https://lists.debian.org/debian-mips/2020/09/msg00010.html). It won't migrate from unstable to testing. 19.2-3 in testing depends on gnat/9 and will block the transition. Please remove libgnatcoll-db/19.2-3 from testing. gnat-gps is removed from testing and RC-buggy in unstable because it depends on python2 (and libgnatcoll-python below). Version 19.2-3 in unstable does not build with gnat-10, and fixing this would be wasted work. Version 20 is not ready, and won't be part of next release anyways, so the best option is probably to remove it from unstable for now. It needs a passage through the NEW queue anyways for unrelated reasons. Please remove gnat-gps/19.2-3 from unstable. libgnatcoll-python is removed from testing and RC-buggy in unstable because it depends on python2 (upstream is working on this). For now, it builds with gnat-10 and python2 in experimental. It won't be part of next release, but can be updated like normal packages and should not prevent the migration of other packages. These packages mention no versioned -dev. They will only need a rebuild once their dependencies are available in unstable. nmumusic123_16.6-1 . ANY . -m 'Rebuild with gnat-10)' nmu topal_80-1 . ANY . -m 'Rebuild with gnat-10)' nmu whitakers-words_0.2020.10.27-1 . ANY . -m 'Rebuild with gnat-10)' The gcc-$V and ghdl packages Build-Depend on an explicit gnat version, but not on the default compiler. They are not affected. The ada-reference-manual package requires an Ada compiler for an intermediate documentation formatter. It is not affected. When would a reupload to unstable be appropriate?
Bug#974982: transition: krb5
I've proposed a patch to libapache-mod-auth-kerb. If someone tests the patch, I'll NMU. mia-query on the maintainer of libapache-mod-auth-kerb is revealing; I'll contact the MIA team and suggest orphaning or removing libapache-mod-auth-kerb.
Bug#973736: buster-pu: package pulseaudio/12.2-4+deb10u2
Hi Salvatore, Sorry for the delay. On Sun, Nov 22, 2020, 13:18 Salvatore Bonaccorso wrote: > hi stable release managers, hi Felipe, > > On Wed, Nov 04, 2020 at 09:33:21AM +0100, Salvatore Bonaccorso wrote: > > Package: release.debian.org > > Severity: normal > > Tags: buster > > User: release.debian@packages.debian.org > > Usertags: pu > > X-Debbugs-Cc: car...@debian.org,fsate...@debian.org > > > > Hi SRM, hi Felipe > > > > [ Reason ] > > > > pulseaudio's deamon.conf uses the (for that version of upstream) the > > default of yes for flat-volumes. The flat-volumes value enables to > > 'flat' volumes, the sink volume equal the maximum of the volumes of > > the inputs connected to it. But this can cause quite some surprised > > and problems and can hurt ears depending on e.g. headphones values. > > > > So some distributions have changed that already in past > > and upstream did as well in later versions. > > > > In unstable the change was done in the 13.0-3 upload. > > > > [ Impact ] > > > > So far users probably stumpling over the problem have changed away > > form the default in their configuration. > > Any comment on this proposed update? Although I completely see the > point as it is changing a default in stable, I still wonder if we > should do it because it has been switched upstream and was a problem > several times for reporting user. > I don't think this change is in scope for a stable update. While I agree it has been problematic for many users, and that this setting has great relevance, this same impact makes me doubt it is fit for a stable update. This is not a bugfix, it is a change in the default value of a setting. Even if I agree with the new value, I don't think it is the sort of change people expect in a stable update. For the RT: this setting changes the behavior of the volume controls. Current behavior in stable is to move the master volume along with the loudest app volume (which creates the problem of a single app raising your volume to very high levels). Current behavior in unstable is to decouple them: app volume is now relative to the master volume. This is all based on my understanding of how stable should remain stable. I have no technical issue with backporting the setting change. Therefore, if the release team deems the change in setting as appropriate, I won't object (and very much welcome if you could upload it). Saludos
Bug#975514: buster-pu: package mutt/1.10.1-2.1+deb10u4
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu (Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] This is a fix for CVE-2020-28896, discussed with two members of the security team (Moritz Muehlenhoff and Salvatore Bonaccorso) whether to do a DSA, in the end it was decided, given that this requires a malicious server, to add it to the next point release, which is happening soon. [ Impact ] Same as the CVE, a malicious server could force the client to send the credential over an unencrypted connection. [ Tests ] (What automated or manual tests cover the affected code?) [ Risks ] See impact. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] A two line patch provided by the maintainer and checked by myself, already in unstable. [ Other info ] Security team is aware, I've already done the upload to shorten your review time. -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.8.0-3-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru mutt-1.10.1/debian/changelog mutt-1.10.1/debian/changelog --- mutt-1.10.1/debian/changelog2020-07-02 16:45:23.0 +0200 +++ mutt-1.10.1/debian/changelog2020-11-23 09:26:09.0 +0100 @@ -1,3 +1,10 @@ +mutt (1.10.1-2.1+deb10u4) buster; urgency=medium + + * debian/patches: ++ fix for CVE-2020-28896 located in security/CVE-2020-28896.patch. + + -- Antonio Radici Mon, 23 Nov 2020 09:26:09 +0100 + mutt (1.10.1-2.1+deb10u3) buster; urgency=medium * debian/patches: diff -Nru mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch --- mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch1970-01-01 01:00:00.0 +0100 +++ mutt-1.10.1/debian/patches/security/CVE-2020-28896.patch2020-11-23 09:26:09.0 +0100 @@ -0,0 +1,39 @@ +From 04b06aaa3e0cc0022b9b01dbca2863756ebbf59a Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy +Date: Mon, 16 Nov 2020 10:20:21 -0800 +Subject: [PATCH] Ensure IMAP connection is closed after a connection error. + +During connection, if the server provided an illegal initial response, +Mutt "bailed", but did not actually close the connection. The calling +code unfortunately relied on the connection status to decide to +continue with authentication, instead of checking the "bail" return +value. + +This could result in authentication credentials being sent over an +unencrypted connection, without $ssl_force_tls being consulted. + +Fix this by strictly closing the connection on any invalid response +during connection. The fix is intentionally small, to ease +backporting. A better fix would include removing the 'err_close_conn' +label, and perhaps adding return value checking in the caller (though +this change obviates the need for that). + +This addresses CVE-2020-28896. Thanks to Gabriel Salles-Loustau for +reporting the problem, and providing test cases to reproduce. +--- + imap/imap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/imap/imap.c b/imap/imap.c +@@ -524,9 +524,9 @@ + + #if defined(USE_SSL) + err_close_conn: +- imap_close_connection (idata); + #endif + bail: ++ imap_close_connection (idata); + FREE (>capstr); + return -1; + } diff -Nru mutt-1.10.1/debian/patches/series mutt-1.10.1/debian/patches/series --- mutt-1.10.1/debian/patches/series 2020-07-02 16:44:08.0 +0200 +++ mutt-1.10.1/debian/patches/series 2020-11-23 09:24:54.0 +0100 @@ -16,4 +16,5 @@ security/CVE-2020-14093.patch security/CVE-2020-14154.patch security/CVE-not-yet-released.patch +security/CVE-2020-28896.patch upstream/imap-preauth-and-ssh-tunnel.patch
Bug#973407: marked as done (transition: r-api-bioc-3.12)
Your message dated Mon, 23 Nov 2020 09:35:52 +0100 with message-id <20201123083552.ga15...@ramacher.at> and subject line Re: Bug#973407: transition: r-api-bioc-3.12 has caused the Debian Bug report #973407, regarding transition: r-api-bioc-3.12 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 973407: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973407 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-CC: debia...@lists.debian.org Hi, Bioconductor 3.12 was released 2 days ago [1]. All r-bioc-* packages need a manual upgrade. [1] https://www.bioconductor.org/news/bioc_3_12_release/ Please set up a tracker manually, since this is a transition of a virtual package name. Ben file: - title = "r-api-bioc-3.12"; is_affected = .depends ~ /r-api-bioc/; is_good = .depends ~ "r-api-bioc-3.12"; is_bad = .depends ~ "r-api-bioc-3.11"; - Best, Dylan --- End Message --- --- Begin Message --- On 2020-10-30 10:11:25, Dylan Aïssi wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > X-Debbugs-CC: debia...@lists.debian.org > > > Hi, > Bioconductor 3.12 was released 2 days ago [1]. All r-bioc-* packages > need a manual upgrade. > > [1] https://www.bioconductor.org/news/bioc_3_12_release/ > > Please set up a tracker manually, since this is a transition of a > virtual package name. > > Ben file: > - > title = "r-api-bioc-3.12"; > is_affected = .depends ~ /r-api-bioc/; > is_good = .depends ~ "r-api-bioc-3.12"; > is_bad = .depends ~ "r-api-bioc-3.11"; > - r-bioc-biocgenerics migrated and all users of r-api-bioc-3.11 in testing have been updated to 3.12. Closing. Cheers -- Sebastian Ramacher--- End Message ---
